﻿<%@ Control Language="C#" Inherits="System.Web.Mvc.ViewUserControl<dynamic>" %>

<h3>Attack Scenario:</h3>
<p>
    The following example simulates a log-in form of any website with design flaw against SQL Injection attack.
</p>

<fieldset class="scenario_frame">
    <legend>Login to the system:</legend>

    <p>
        <label for="username">User Name:</label>
        <input type="text" id="username" name="username" />
    </p>
    <p>
        <label for="password">Password:</label>
        <input type="password" id="password" name="password" />
    </p>
    <p>
        <input type="submit" value="Login" />
    </p>

</fieldset>

<div class="lab_frame">

<p>
    An attacker wants to:
</p>
<p>
    <input type="radio" name="group" value="group1" id="group1" />By-pass authentication<br />
    User name: <span>' OR 1=1 -- </span><br />
    Password: <span>whatever</span>
</p>
<p>
    <input type="radio" name="group" value="group2" id="group2" />Delete table in DB<br />
    User name: <span>' DROP TABLE USER_TABLE -- </span><br />
    Password: <span>whatever</span>
</p>
</div>

<div id="simulate">
    <p>Stored procedure of the database process @username and @password as follows:</p>
    <p>IF EXISTS( SELECT * FROM USER_TABLE WHERE USERNAME=<span class="sql_input" id="si_user">@username</span> AND PASSWORD=<span id="si_pw" class="sql_input">@password</span> )</p>
    <p>&nbsp;&nbsp;AUTHENTICATE = TRUE</p>
</div>

<hr />

<script type="text/javascript">
    $("#group1").click(function () {
        $("#username").val("' OR 1=1 --");
        $("#password").val("whatever");
        $("#si_user").html("' OR 1=1 --");
        $("#si_pw").html("whatever");
    });
    $("#group2").click(function () {
        $("#username").val("' DROP TABLE USER_TABLE --");
        $("#password").val("whatever");
        $("#si_user").html("' DROP TABLE USER_TABLE --");
        $("#si_pw").html("whatever");
    });
</script>